Encrypted Remote Desktop Session?

[mpg187]

Is there way within a Remote Desktop session to tell if it's encrypted?

Is there a chance that someone could get my password not only to the RDP server but if I open an SSH session on that server could they get my SSH password?

I run putty in an RDP session because the VM running the RDP server is on the same machine as the VM I am SSHing to so that way I can resume the SSH session by resuming the RDP session (Easier to resume an RDP session than an SSH session).

I mostly RDP from Windows 7 to Windows Server 2003 (No tag for it in Neowin's tagging system yet :( ), but I am concerned for other OSes I RDP to/from.

[sc302 Veteran]

If it is running over port 443 it is encrypted. If it is running over port 3389 it is not encrypted. You want to be sure it is encrypted connect with a VPN prior to establishing a remote desktop connection....all data across a VPN is encrypted. VPN will require you to set it up and understand how to do so.

[Argi]

If it is running over port 443 it is encrypted. If it is running over port 3389 it is not encrypted. You want to be sure it is encrypted connect with a VPN prior to establishing a remote desktop connection....all data across a VPN is encrypted. VPN will require you to set it up and understand how to do so.

Are you sure that port 3389 is not encrypted? There's a setting to require encryption for RDP advanced systems settings so I believe all RDP sessions are encrypted.

[Joe User]

If it is running over port 443 it is encrypted. If it is running over port 3389 it is not encrypted. You want to be sure it is encrypted connect with a VPN prior to establishing a remote desktop connection....all data across a VPN is encrypted. VPN will require you to set it up and understand how to do so.

That's not right. RDS runs over 3389 with encryption.

[mpg187]

443 is for encrypted https. I dunno if RDP uses a different port if encrypted.

I have used RRAS to setup a VPN before but would like to connect without a VPN if I can. (Like I said I am using SSH so I imagine I could also use port forwarding to setup a tunnel).

[Joe User]

Are you sure that port 3389 is not encrypted? There's a setting to require encryption for RDP advanced systems settings so I believe all RDP sessions are encrypted.

IIRC as of Windows 2003 encryption is on by default.

[mpg187]

There's a setting to require encryption for RDP advanced systems settings so I believe all RDP sessions are encrypted.

IIRC as of Windows 2003 encryption is on by default.

Is there a way to check that encryption is actually being implemented to make sure?

[Joe User]

443 is for encrypted https. I dunno if RDP uses a different port if encrypted.

I have used RRAS to setup a VPN before but would like to connect without a VPN if I can. (Like I said I am using SSH so I imagine I could also use port forwarding to setup a tunnel).

You can run without a VPN, but it's not a recommended practice for Windows 2003.

[mpg187]

Why is it not a recommended practice? It doesn't make sense to tunnel a connection that's already encrypted.

[Joe User]

Is there a way to check that encryption is actually being implemented to make sure?

Open Terminal Services Configuration on the server and check the level.

[Joe User]

Why is it not a recommended practice? It doesn't make sense to tunnel a connection that's already encrypted.

Honestly, I don't remember the exact reason, I think it was a DoS attack vector. I do remember it was a red flag.

[mpg187]

Open Terminal Services Configuration on the server and check the level.

"Permission Compatibility" is set to "Full Security" (The default I would assume since I never changed it, it won't even let me open the properties to see the other options saying I have to be in application server mode).

So under "Full security" does this mean that if encryption is not available it won't even connect (So it will never fall back to an unsecure connection)?

It's a good assumption to assume Windows 7 to 2003 is encrypted but how would I know if I am encrypted if I am using a Linux RDP client?

Also when I connect from Windows 7 to Server 2003 it asks me to verify the host identity similar to SSH, so does that mean that it's using keys (Which I assume are automatically generated as I never generated any). Server 2003 doesn't ask for keys when connecting though so I am not sure if it's encrypted.

[Kelxin]

RDP IS encrypted, no matter what. The only difference is the system of authentication that is used between network layer or straight credentials. On the other hand though, Server 2003 uses the older RDP protocol which is easily brute forced, and there are man in the middle attacks that I've seen be semi usable. My suggestion would be if you can, upgrade to Windows 7 Pro or higher with the RDP hack (unlimited RDP sessions) or server 2008 R2. I've seen countless people with Russian and China IP addresses trying to brute force my test Virtual machines with XP and Server 2003 and have seen one get compromised with a decently complex password.

Also when I connect from Windows 7 to Server 2003 it asks me to verify the host identity similar to SSH, so does that mean that it's using keys (Which I assume are automatically generated as I never generated any).

Yes, they are autogenerated keys. On Server 2003 / 2008 you can actually get a full signed key such as from Verisign to remove that popup asking for the verification of the systems identity.

[mpg187]

I've used a patch on Windows Vista Home Premium to get RDP (I hate you can't RDP in). On this laptop I just installed a VM to RDP into instead. My RDP server is not exposed on the internet so I don't have to worry about Russians or Chinese lol.

Are you allowed to post the patch for Windows 7 RDP here?

Windows 7 asks for host authentication but 2003 and XP don't, how come. I thought maybe it wasn't encrypted, but maybe it is encrypted just doesn't verify the host?

[Kelxin]

http://bit.ly/LmFDHY

It's because Windows 2003 gives you a direct login prompt vs Win Vista / 7 / 2008 enables a direct pass through login system.

[mpg187]

Direct pass through the login system?

[sc302 Veteran]

Are you sure that port 3389 is not encrypted? There's a setting to require encryption for RDP advanced systems settings so I believe all RDP sessions are encrypted.

You tell me

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1794

To the rest of it, terminal server gateway services uses ssl or port 443 and can encrypt. By default out of the box it does not encrypt, you can fix it if you choose but you must know enough to do it and make the choice to do so.

[+BudMan MVC]

"It doesn't make sense to tunnel a connection that's already encrypted."

Agreed little point to the double encryption -- but that not really the reason you vpn before you make such connections to devices on your network.

Normally a VPN into your network is going to require a much more secure auth method than just a username and password - which is what happens when you directly expose remote desktop. And also the remote hacker would need to know the details of the server your running, etc.

I use openvpn into my home network -- you need to have a cert signed by MY CA.. So unless you stole my usb key your not going to get in, then even if you did this without my knowing. You would still need the password to cert to use it. And then the username and password to actually auth as well. Because as soon as I notice my usb key missing I would just revoke the cert issued, and your not getting in no matter how much of the other info you also had.

Let say you managed to get in, All that did was get you on the network - you still have to auth to any devices on said network.

This is much more secure than just username and password to anyone that wants to try their luck at guessing it on the planet.